Crucial vulnerability patched in Jira Service Administration Server and Information Middle

A essential vulnerability was fastened this week in Jira Service Administration Server, a preferred IT providers administration platform for enterprises, that might permit attackers to impersonate customers and achieve entry to entry tokens. If the system is configured to permit public sign-up, exterior clients will be affected as properly.

The bug was launched in Jira Service Administration Server and Information Middle 5.3.0, so variations 5.3.0 to five.3.1 and 5.4.0 to five.5.0 are affected. Atlassian has launched fastened variations of the software program however has additionally supplied a workaround that includes updating a single JAR file in impacted deployments. Atlassian Cloud situations should not susceptible.

Damaged Jira authentication

Atlassian describes the vulnerability, tracked as CVE-2023-22501, as a damaged authentication challenge and charges it as essential severity in accordance with its personal severity scale.

“With write entry to a Person Listing and outgoing electronic mail enabled on a Jira Service Administration occasion, an attacker might achieve entry to signup tokens despatched to customers with accounts which have by no means been logged into,” the corporate defined in its advisory. “Entry to those tokens will be obtained in two circumstances: If the attacker is included on Jira points or requests with these customers, or if the attacker is forwarded or in any other case beneficial properties entry to emails containing a ‘View Request’ hyperlink from these customers.”

Bot accounts that have been created to work with Jira Service Administration are significantly vulnerable to this situation, the corporate warned. Even when the flaw does not affect customers synced through read-only Person Directories or SSO, customers who work together with the occasion through electronic mail are nonetheless affected even when SSO is enabled.

Jira Service Administration can be utilized to arrange and handle a service middle that unifies assist desks throughout totally different departments, reminiscent of IT, HR, Finance, or Buyer Service, permitting groups to raised work on shared duties collectively. It additionally permits corporations to handle asset, carry out inventories, observe possession and lifecycle, IT groups can handle infrastructure configuration and observe service dependencies, and may construct data bases for self-service. Given the numerous options that the platform helps and the duties it may be used for in a company surroundings, the probability of numerous staff, contractors and clients having accounts on it are excessive and so is the opportunity of abuse.

Jira Service Administration vulnerability mitigation

The corporate stresses that corporations who do not expose Jira Service Administration publicly ought to nonetheless replace to a hard and fast model as quickly as potential. If they can not improve the entire system, they need to obtain the fastened servicedesk-variable-substitution-plugin JAR for his or her explicit model, cease Jira, copy the file within the <Jira_Home>/plugins/installed-plugins listing after which begin Jira once more.

As soon as the fastened JAR or the repair model has been put in, corporations can search the database for customers with the com.jsm.usertokendeletetask.accomplished property set to “TRUE” for the reason that susceptible model has been put in. These are customers who might have been impacted, so the subsequent step is to confirm that they’ve the proper electronic mail addresses. Inner customers ought to have the proper electronic mail area and publicly signed-up customers ought to have their usernames an identical to their electronic mail handle.

A password reset ought to then be compelled for all probably affected customers, which includes a affirmation electronic mail being despatched, so it is crucial their electronic mail addresses are right. The JIRA API can be utilized to pressure password resets, together with expiring any energetic periods and logging out any potential attackers.

“Whether it is decided that your Jira Service Administration Server/DC occasion has been compromised, our recommendation is to instantly shut down and disconnect the server from the community/web,” the corporate stated in a FAQ document accompanying the advisory. “Additionally, it’s possible you’ll wish to instantly shut down another programs which probably share a consumer base or have widespread username/password combos with the compromised system. Earlier than doing anything you will want to work together with your native safety group to determine the scope of the breach and your restoration choices.”

Copyright © 2023 IDG Communications, Inc.